b'                  FEDERAL ELECTION COMMISSION\n                  OFFICE OF INSPECTOR GENERAL\n                  Washington, DC 20463\n\n\n\n                                                           March 31, 2011\n\nA. Roy Lavik, Inspector General\nU.S. Commodity Futures Trading Commission\nThree Lafayette Centre\n1155 21st Street, NW\nWashington, DC 20581\n\n\nSubject: Final report and comment letter for the Audit Peer Review of the Commodity\nFutures Trading Commission\xe2\x80\x99s Office of Inspector General\n\nDear Mr. Lavik:\n\nAttached is the final report of the System Review report (peer review) of the U.S.\nCommodity Futures Trading Commission\xe2\x80\x99s Office of Inspector General conducted in\naccordance with Government Auditing Standards and Council of the Inspectors General\non Integrity and Efficiency guidelines. Also included is a comment letter associated with\nthe System Review report.\n\nIf you have any questions, please contact me on 202-694-1015. Thank you.\n\n\n\n\nLynne A. McFarland\nInspector General\n\nAttachments\n\x0c                  FEDERAL ELECTION COMMISSION\n                  OFFICE OF INSPECTOR GENERAL\n                  Washington, DC 20463\n\n\n\nMarch 31, 2011\n\nTo A. Roy Lavik, Inspector General\nCommodity Futures Trading Commission\n\nWe have reviewed the system of quality control for the audit organization of the\nCommodity Futures Trading Commission (CFTC) Office of Inspector General (OIG) in\neffect for the period October 1, 2006 through March 31, 2010, and have issued our final\nreport thereon dated March 31, 2011, in which the CFTC OIG received a rating of fail.\nThat report should be read in conjunction with the comments in this letter, which were\nconsidered in determining our opinion. The findings described below were not\nconsidered to be of sufficient significance to affect the opinion expressed in that report.\n\nFinding 1. Independence\n\nOIG Advisory Role - Federal Managers\xe2\x80\x99 Financial Integrity Act (FMFIA)\n\nThe OIG performs an annual audit of the agency prepared control assessments in\naccordance with FMFIA and the Office of Management and Budget Circular A-123,\n\xe2\x80\x9cManagement\xe2\x80\x99s Responsibility for Internal Control,\xe2\x80\x9d revised December 21, 2004. The\nCFTC OIG Semiannual Reports to Congress consistently refer to the work as\n\xe2\x80\x9cconsulting\xe2\x80\x9d and \xe2\x80\x9cadvisory,\xe2\x80\x9d rather than attestation engagements or performance audits.\nThe OIG has performed this work for nine years and the OIG\xe2\x80\x99s planning documents\nspecify the work will be performed in accordance with generally accepted government\nauditing standards (GAGAS). Because it is performed as an audit under GAGAS, no\nadditional independence impairment assessment is required. However, if the work is not\nconducted in accordance with GAGAS, the OIG would need to assess and document the\nindependence of the OIG in the performance of the work, as well as report the\nperformance standards under which the work was conducted and the level of assurance\nprovided.\n\nRecommendation\nThe OIG should ensure Semiannual Reports to Congress clearly and consistently describe\nthe work performed by the OIG, to include the type of professional standards followed in\nthe performance of the work assignments.\n\nCFTC OIG Response\nWe will implement the recommendation and intend to amend our policies and procedures\nas necessary to assure compliance with the recommendation within six months.\n\n                                                                                              1\n\x0cFEC OIG Analysis of Response\nFEC OIG believes that this recommendation when implemented will address the\nweakness identified.\n\nOIG Budget Process\n\nCurrently, the CFTC OIG budget request process is informal and not well documented.\nBoth the Inspector General (IG) and the agency\xe2\x80\x99s Budget Officer describe the OIG as\nhaving access to ample funds to fulfill OIG organization needs, and there have been no\nfinancial impairments for the OIG. We were unable to locate a budget certification\nsigned by the IG that complies with Section 6 (f)(1) of the Inspector General Act of 1978\n(5 U.S.C. App.), as amended, to show that \xe2\x80\x9c\xe2\x80\xa6the amount requested satisfies all training\nrequirements for the Inspector General\'s office for that fiscal year\xe2\x80\xa6.\xe2\x80\x9d\n\nIn addition, currently, the method used by the agency to develop and report budget values\nallocates all costs, except salaries, as overhead based on the number of full time\nequivalents (FTEs). The IG could better demonstrate its financial independence by\npreparing a detailed budget request based on actual funding levels needed to meet its\nbusiness needs, including training and contract funds, and retaining the information to\nshow compliance with the Inspector General Act, as amended (IG Act). Once the\nagency\xe2\x80\x99s allocation of overhead has been performed, the IG should then certify that the\nfinal budget values meet or exceed the initial request.\n\nRecommendation\nThe IG should prepare and certify requests for funds in accordance with the IG Act and\nformalize the OIG\xe2\x80\x99s budget process with the agency to help ensure an independent and\ntransparent budget process.\n\nCFTC OIG Response\nWe will implement the recommendation and intend to amend our policies and procedures\nas necessary to assure compliance with the recommendation within six months.\n\nFEC OIG Analysis of Response\nFEC OIG believes that this recommendation when implemented will address the\nweakness identified.\n\n\nFinding 2. IPA Monitoring\n\nIn addition to reviewing its system of quality control to ensure adherence with\nGovernment Auditing Standards, we applied certain limited procedures in accordance\nwith guidance established by the Council of the Inspectors General on Integrity and\nEfficiency related to the OIG\xe2\x80\x99s monitoring of audit work performed by independent\npublic accountants (IPA) under OIG contract, where the IPA served as the principal\nauditor. The matters described below were identified based on a review of the OIG\xe2\x80\x99s\nmonitoring of the 2009 financial statement audit contract:\n\n                                                                                         2\n\x0cIndependence\n\nThe CFTC OIG did not require the IPA firm selected to perform the 2009 financial\nstatement audit to supply independence forms or other written assurance of the IPA\xe2\x80\x99s\nindependence from the CFTC.\n\nGAS 3.05, Independence, provides for the following: "When auditors use the work of a\nspecialist, auditors should assess the specialist\'s ability to perform the work and report\nresults impartially as it relates to their relationship with the program or entity under audit.\nIf the specialist\xe2\x80\x99s independence is impaired, auditors should not use the work of that\nspecialist."\n\nFor peer review purposes, the Assistant Inspector General for Audit requested a copy of\nthe independence statement from the IPA. Although the independence statement was\nprovided by the IPA during the audit planning phase, and signed by only one of the IPA\'s\naudit staff, the documentation was not included in the final workpapers maintained by the\nCFTC OIG.\n\nRecommendation\nWe recommend that the CFTC OIG should adhere to the GAGAS requirements for\nassessing independence of OIG contractors. Specifically, the OIG should obtain\nindependence statements from all proposed staff of the IPA, or from the partner staffed\non the engagement to represent the firm, during the contracting process. If contract\noption years are exercised, the IPA should provide independence statements for each\noption year exercised.\n\nCFTC OIG Response\nWe will implement the recommendation and intend to amend our policies and procedures\nas necessary to assure compliance with the recommendation within six months.\n\nFEC OIG Analysis of Response\nFEC OIG believes that this recommendation when implemented will address the\nweakness identified.\n\nDocumentation of IPA Monitoring Activities\n\nThe CFTC OIG has not defined how it will perform and document its monitoring of IPA\naudit activities and does not maintain an audit file to document the monitoring and\nreviews performed. According to the Financial Audit Manual, Section 650 (FAM 650),\neven in low level review procedures, there are several IPA audit documents that should\nbe reviewed. Some of these documents include the IPA\xe2\x80\x99s audit strategy, audit summary\nmemo, and audit completion checklist. FAM 650 also lists documentation that should be\nconsidered for retention in the IPA monitoring file including, but not limited to:\n\xe2\x80\xa2       The IPA\xe2\x80\x99s most recent peer review report;\n\xe2\x80\xa2       Independence statement from personnel staffed by the IPA;\n\xe2\x80\xa2       OIG review and approval of the IPA\xe2\x80\x99s planning documents;\n\n                                                                                              3\n\x0c\xe2\x80\xa2          OIG review of the IPA\xe2\x80\x99s audit workpapers;\n\xe2\x80\xa2          Comments provided to the IPA regarding notice of findings and\n           recommendations (NFRs); and\n\xe2\x80\xa2          OIG review of the draft and final reports.\n\nAs evidence of IPA monitoring, the OIG provided copies of various e-mail\ncommunications with the IPA and a copy of the final audit workpapers provided as an\naudit deliverable. The e-mail communications indicate that the OIG was provided audit\ndeliverables for review; however, without documented evidence of OIG review, the peer\nreview team could not determine if the minimum review procedures were met.\n\nRecommendation\nThe CFTC OIG should maintain an audit file (hard copy or electronic) for each financial\nstatement audit or other contracted audit. The file should contain adequate\ndocumentation of the OIG\xe2\x80\x99s review process for monitoring of the IPA according to the\ndetailed guidance in FAM 650 and GAGAS.\n\nCFTC OIG Response\nWe will implement the recommendation and intend to amend our policies and procedures\nas necessary to assure compliance with the recommendation within six months.\n\nFEC OIG Analysis of Response\nFEC OIG believes that this recommendation when implemented will address the\nweakness identified.\n\n\nFinding 3. Audit Follow-up\n\nWe noted the audit follow-up monitoring is not compliant with internal policies. CFTC\nOIG Directive 40, Audit Follow-up Control, provides the following background and\nprocedures for verifying whether or not recommendations for audits and reviews have\nbeen implemented, as follows:\n\n           \xe2\x80\x9cBACKGROUND\n           The Agency\xe2\x80\x99s Audit Follow-up Official (AFO1) is responsible for follow up on all\n           agreed upon actions and/or recommendations made to the Commodity Futures\n           Trading Commission (CFTC, Agency) management by the Office of the Inspector\n           General. The AFO will inform the OIG whether or not the agreed upon actions\n           and/or recommendations have been completed. Such follow-up also applies to\n           reports issued by external auditors, for example, financial auditors contracted by\n           the OIG.\n\n\n\n\n1\n    Currently the Chief Financial Officer.\n\n                                                                                           4\n\x0c       PROCEDURES\n       The AIC is responsible for reviewing and evaluating the reasonableness of\n       information received for purposes of audit, review, or inspection follow-up and\n       keeps the IG appropriately informed. This review by the AIC should also assess\n       the lack of agreement, if any, with the AFO\xe2\x80\x99s determinations.\n\n       A follow-up file will be created and maintained by the AIC for all audit, review\n       and inspection reports. This file will include all relevant information on the open\n       or closed recommendations.\n\n       At least quarterly, the AIC will ascertain the status of any open recommendations\n       made in an OIG report. Any open and unresolved OIG recommendations will be\n       reported in the semi-annual report to Congress for that relevant period.\xe2\x80\x9d\n\nFor the 2008 Use of Contractors Audit, we were not able to locate a follow-up file or\ndocumentation in the audit file indicating management had agreed with the\nrecommendations and had taken action to implement the recommendations. No audit\nrecommendation tracking document for this audit or other OIG audits was provided.\nInstead, a document (Word table) was provided, but it only listed the audits and number\nof recommendations. The table did not allow for the tracking of individual\nrecommendations, or include fields to document the status as completed, fully\nimplemented, or date completed. The Semiannual Reports to Congress for September\n2008 and forward indicate all recommendations made by the OIG were completed or\nfully implemented.\n\nRecommendation\nThe CFTC should implement a more formal recommendation tracking system and\ndocument audit follow-up activity performed by OIG staff, as described in Directive 40.\nAt a minimum, documentation from management providing assurance that OIG\nrecommendations have been fully implemented should be obtained and retained by the\nOIG, prior to making statements to that fact in the OIG\xe2\x80\x99s Semiannual Reports to\nCongress.\n\nCFTC OIG Response\nWe will implement the recommendation and intend to amend our policies and procedures\nas necessary to assure compliance with the recommendation within six months.\n\nFEC OIG Analysis of Response\nFEC OIG believes that this recommendation when implemented will address the\nweakness identified.\n\n\nFinding 4. Documented Policies and Procedures\n\nAs indicated in this comment letter and the main peer review report, many of CFTC\nOIG\xe2\x80\x99s documented quality control processes are not always followed. Examples include\n\n                                                                                          5\n\x0cfailure to comply with the documented standards to make audit reports available to the\npublic via the CFTC OIG internet site and failure to adequately document the IG\xe2\x80\x99s final\nreview of the workpapers.\n\nMost of the peer review Appendix A Policy and Procedures responses prepared by the\nCFTC OIG lacked specific references to documented policies and procedures. For\nexample, the CFTC OIG has directives covering Quality Control (Directive No. 1), Work\nPapers (Directive No. 30), Audit/Review Follow-Up Control (Directive No. 40), and\nReporting (Directive No. 50), but these were not referenced in the Appendix A provided\nfor peer review. Instead, general descriptions of procedures were provided that were not\naligned to the written directives. For example, the following two responses were\nprovided to the peer review team in reference to documented policies and procedures to\nensure performance audit reporting and recommendation tracking comply with GAGAS.\n\n       Audit reports are issued in a standard format and any open recommendations are\n       tracked. Generally the agency has concurred with our recommendations and\n       implemented the change by the time of the final audit report.\n\n       Due to the small size of the OIG multiple reviews of audit reports by all available\n       staff generally detect any errors and/or omissions.\n\nThese undocumented processes described by staff during the peer review did not ensure\nwork performed met minimum quality standards based on the peer review results. Refer\nto Finding 2f, Reporting is not compliant with GAGAS, of the peer review report and\nFinding 3, Audit Follow-up, of this comment letter. A stronger adherence to the\ndocumented policies and procedures would have increased compliance with GAGAS. As\nnoted in this comment letter and the peer review report, the CFTC OIG directives could\nbe strengthened by including additional procedures and controls to ensure compliance\nwith GAGAS and FAM 650. These include, but are not limited to, additional procedures\nto assess and document auditor independence, additional detail on performing and\ndocumenting supervisory review, report referencing, and IPA monitoring activities.\n\nRecommendation\nThe CFTC OIG should review the Appendix A provided to the peer review team and\nidentify areas where responses do not reflect quality processes. Using that review, the\npeer review report and this letter of comment, the members of the OIG should evaluate\nthe weaknesses and issue or update operating procedures for the office to ensure work\nperformed meets minimum quality standards.\n\nCFTC OIG Response\nWe will implement the recommendation and intend to amend our policies and procedures\nas necessary to assure compliance with the recommendation within six months.\n\n\n\n\n                                                                                          6\n\x0cFEC OIG Analysis of Response\nFEC OIG believes that this recommendation when implemented will address the\nweakness identified.\n\n\n\n\nLynne A. McFarland, Inspector General\nFederal Election Commission\n\n\n\n\n                                                                              7\n\x0c                  FEDERAL ELECTION COMMISSION\n                  OFFICE OF INSPECTOR GENERAL\n                  Washington, DC 20463\n\n\n\n\n                                      System Review Report\n\nMarch 31, 2011\n\nTo A. Roy Lavik, Inspector General\nU. S. Commodity Futures Trading Commission\n\nWe have reviewed the system of quality control for the audit organization of the U.S.\nCommodity Futures Trading Commission Office of the Inspector General (CFTC OIG) in effect\nfor the period October 1, 2006 through March 31, 2010. A system of quality control\nencompasses the CFTC OIG\xe2\x80\x99s organizational structure and the policies adopted and procedures\nestablished to provide it with reasonable assurance of conforming with Government Auditing\nStandards (GAS). The elements of quality control are described in GAS. The CFTC OIG is\nresponsible for designing a system of quality control and complying with it to provide the CFTC\nOIG with reasonable assurance of performing and reporting in conformity with applicable\nprofessional standards in all material respects. Our responsibility is to express an opinion on the\ndesign of the system of quality control and the CFTC OIG\xe2\x80\x99s compliance therewith based on our\nreview.\n\nOur review was conducted in accordance with Government Auditing Standards and guidelines\nestablished by the Council of the Inspectors General on Integrity and Efficiency (CIGIE).\nDuring our review, we interviewed CFTC OIG personnel and obtained an understanding of the\nnature of the CFTC OIG audit organization, and the design of the CFTC OIG\xe2\x80\x99s system of quality\ncontrol sufficient to assess the risks implicit in its audit function. Based on our assessments, we\nselected engagements and administrative files to test for conformity with professional standards\nand compliance with the CFTC OIG\xe2\x80\x99s system of quality control. Except as discussed below in\nthe paragraph on scope limitations on page two, the engagements selected represented a\nreasonable cross-section of the CFTC OIG\xe2\x80\x99s audit organization, with an emphasis on higher-risk\nengagements. Prior to concluding the review, we reassessed the adequacy of the scope of the\npeer review procedures and met with CFTC OIG management to discuss the results of our\nreview. We believe that the procedures we performed provide a reasonable basis for our\nopinion.\n\nIn performing our review, we obtained an understanding of the system of quality control for the\nCFTC OIG\xe2\x80\x99s audit organization. In addition, we tested compliance with the CFTC OIG\xe2\x80\x99s quality\ncontrol policies and procedures to the extent we considered appropriate. These tests covered the\napplication of the CFTC OIG\xe2\x80\x99s policies and procedures on selected engagements. Our review\n\n\n\n                                                                                                  1\n\x0cwas based on selected tests; therefore, it would not necessarily detect all weaknesses in the\nsystem of quality control or all instances of noncompliance with it.\n\nThere are inherent limitations in the effectiveness of any system of quality control and therefore\nnoncompliance with the system of quality control may occur and not be detected. Projection of\nany evaluation of a system of quality control to future periods is subject to the risk that the\nsystem of quality control may become inadequate because of changes in conditions, or because\nthe degree of compliance with the policies or procedures may deteriorate.\n\nResults of this peer review indicated that three of the four findings reported by the National\nEndowment for the Humanities (NEH) OIG in the September 27, 2007 peer review report have\nnot been corrected by the CFTC OIG. The findings relate to 1) meeting continuing professional\neducation (CPE) requirements and maintaining adequate documentation to support training\nattended, 2) performing and documenting control assessments, and 3) performing and\ndocumenting independent referencing of audit reports. The three unresolved findings are\nannotated as \xe2\x80\x9crepeat finding\xe2\x80\x9d in this report.\n\nIn our opinion, as a result of the significant deficiencies described below, the system of quality\ncontrol for the audit organization of CFTC OIG in effect for the period ended March 31, 2010,\nwas not suitably designed and complied with to provide CFTC OIG with reasonable assurance of\nperforming and/or reporting in conformity with applicable professional standards in all material\nrespects. Federal audit organizations can receive a rating of pass, pass with deficiencies, or fail.\nThe CFTC OIG has received a peer review rating of fail with a scope limitation. As is\ncustomary, we have issued a letter dated March 31, 2011, that sets forth findings that were not\nconsidered to be of sufficient significance to affect our opinion expressed in this report.\n\nTo ensure the objectivity, accuracy, and completeness of the findings, the FEC OIG peer review\nteam provided written preliminary draft findings and conclusions during a meeting with CFTC\nOIG on August 27, 2010. In addition, a discussion draft report was provided to the CFTC OIG\non December 9, 2010, the exit conference was held on January 6, 2011, and the draft report was\nprovided to the CFTC OIG on February 9, 2011. The CFTC OIG provided written comments on\nthe draft report on March 14, 2011, and these comments have been included in this report in their\nentirety.\n\nThe CFTC OIG notified us that there were no manual or electronic workpaper files for the\nGovernment Performance and Results Act (GPRA) reviews conducted on CFTC performance\ndata submitted to the Office of Management and Budget (OMB) and Congress. According to\nSemiannual Reports to Congress, the work was planned and performed by the CFTC OIG\nannually from 2001 through 2007. As a result, we were unable to review these engagements to\ndetermine whether the role of the CFTC OIG in \xe2\x80\x9cconsulting\xe2\x80\x9d and \xe2\x80\x9cadvising\xe2\x80\x9d the agency, as\ndescribed in the semiannual reports, was subject to additional independence impairment\nassessment as defined in GAS 3.25 through 3.30. We considered this to be a scope limitation in\nthis peer review.\n\nEnclosure 1 to this report identifies the engagements that we reviewed.\n\n\n\n                                                                                                     2\n\x0cWe noted the following significant deficiencies during our review.\n\n1.     Deficiency \xe2\x80\x93 System of Quality Control Design and Evaluation\n\nThe CFTC OIG is responsible for designing a system of quality control and complying with that\nsystem to provide the agency with reasonable assurance of performing and reporting in\nconformity with all applicable professional standards. Currently, the quality control processes,\nas designed, fail to ensure work is planned, performed and reported in accordance with Generally\nAccepted Government Auditing Standards (GAGAS or Yellow Book). Our reviews of the eight\n(8) directives provided by the CFTC OIG to document and evaluate its quality control processes\nidentified the following weaknesses:\n\na.     Work planned and reported as GAGAS was performed under standards other than\n       GAGAS\n\nThe CFTC OIG policies and procedures indicate that audit and attestation engagements are\nperformed to GAGAS standards, however, CFTC OIG quality processes are not designed to\nensure the work was actually performed to those standards. The CFTC OIG quality control\nprocesses do not include a section on planning or guidance that the OIG staff must first consider\nand document the standard under which the work will be planned, performed and reported before\ncommencing fieldwork. The policies do not include instruction that if a decision is made to\nchange the engagement standard, it must be fully documented in the audit files. Further, CFTC\nOIG quality processes did not detect or correct instances where work planned and reported as\nGAGAS failed to meet the standard. GAS section 1.11 states, \xe2\x80\x9cWhen auditors are required to\nfollow GAGAS or are representing to others that they followed GAGAS, they should follow all\napplicable GAGAS requirements and should refer to compliance with GAGAS in the auditors\xe2\x80\x99\nreport as set forth in paragraph 1.12 and 1.13.\xe2\x80\x9d\n\nIn order to determine which OIG work products could be selected for peer review, the peer\nreview team first reviewed the CFTC OIG Semiannual Reports to Congress available on the\nCFTC OIG\xe2\x80\x99s internet site for the periods September 2006 through March 2010. The team then\nreviewed the listings of annual \xe2\x80\x9caudit programs\xe2\x80\x9d provided by the CFTC OIG for fiscal years\n2007 through 2010. The audit programs were a listing of CFTC OIG work in progress for each\nfiscal year. The review of semiannual reports and audit programs was performed during the peer\nreview planning phase and prior to fieldwork. Because the listings of annual audit programs did\nnot specify which work was performed as GAGAS, we requested the OIG staff respond \xe2\x80\x9cyes\xe2\x80\x9d or\n\xe2\x80\x9cno\xe2\x80\x9d as to whether the listed work products were a) performed under GAGAS, and b) the audit\nreport included a statement that the engagement was performed in accordance with GAGAS.\nThe peer review team then interviewed CFTC OIG staff regarding the yes and no responses\nprovided to the annual audit programs and also reviewed the workpaper binders of audits\ncompleted in fiscal years 2008 and 2009.\n\n\n\n\n                                                                                               3\n\x0cThe table on the following page presents the results of an assessment of the CFTC OIG work\nproducts by the peer review team using six criteria:\n\n\xe2\x80\xa2      description in Semiannual Reports to Congress during the planning phase;\n\xe2\x80\xa2      planning documents located in audit files presented for peer review;\n\xe2\x80\xa2      final report or memorandum;\n\xe2\x80\xa2      description in Semiannual Reports to Congress after work completed;\n\xe2\x80\xa2      workpapers or results documents for items where a memorandum was used as the report\n       to the CFTC Chairman; and\n\xe2\x80\xa2      CFTC OIG tables of audit programs and corresponding questions/responses on whether\n       the work was planned and reported under GAGAS.\n\nThe assessment was performed to determine whether or not the work products were planned,\nperformed and reported as GAGAS audits, reviews, or attestation engagements, and thus\nselectable for peer review testing.\n\n\n\n\n                                                                                             4\n\x0c                                             2009 Annual                                                                                2008 Review of\n                                                                     2009 Annual FISMA                2009 Annual FMFIA\n        Assessment Table                       Financial                                                                                 Agency Use of           2006 and 2007 Review of Agency Compliance with GPRA3\n                                                                           Evaluation1                 Compliance Audit2\n                                           Statement Audit                                                                                Contractors\n1. Semiannual reports prior to                                                                                                                                                                2006 Audit\n                                             Annual Audit                 Annual Audit                     Annual Audit                       Audit\nwork (planning phase)4.                                                                                                                                                        2007 review only listed at completion\n                                                                                                       GAGAS (twice) and\n2. Planning documents located in          Includes reference\n                                                                                                      describes the limitation\nthe files presented for peer               to GAAS, GAS,                     GAGAS                                                          GAGAS                                           None Available\n                                                                                                         on controls testing\nreview.                                   and OMB guidance\n                                                                                                             performed\n                                                                    No reference to GAGAS\n                                             Audit opinion                                           No reference to GAGAS\n                                                                         in OIG template\n                                             references US                                                  in 2 sentence\n3. Final report or memorandum.                                        submitted to OMB as                                                   GAGAS                                           None Available\n                                           GAAS, GAS and                                             memorandum. Refers to\n                                                                    part of agency reporting\n                                            OMB guidance                                                  \xe2\x80\x9climited review\xe2\x80\x9d\n                                                                             package5\n4. Semiannual reports after                                                                                                            Completed Audits                                       2006 Audit\n                                             Annual Audit                 Annual Audit                     Annual Audit\ncompleted (reporting phase).                                                                                                              and Reviews                                        2007 Review\n5. CFTC OIG workpapers\n                                                                    GAGAS section 1.23(b)6             GAGAS (twice) and\n(results documents) for items\n                                                                      for the one IT system           describes the limitation\nthat only included transmittal              Not applicable                                                                               Not applicable                                     None Available\n                                                                       selected for detailed             on controls testing\nmemos as official report to\n                                                                              review                         performed\nChairman.\n                                                                                                                                                                  Not included on 2007 list of annual work products but should\n                                                                                                                                                                  have been. The 2008 list of work products states it was not a\n6. CFTC OIG tables of work\n                                             Planned: Yes                                                                                 Planned: No               GAGAS audit, but no records are available to verify. The\nproducts and corresponding                                           Planned: No Response             Planned: No Response\n                                             Reported: No                                                                                   Response                 annual audits are completed after September 30 and are\nquestions on whether GAGAS                                                Reported: Yes                    Reported: Yes\n                                               Response                                                                                  Reported: Yes               reported in the March 2007 and March 2008 semiannual\nplanned and GAGAS reported.\n                                                                                                                                                                   reports. OIG provided positive assurance in reports that the\n                                                                                                                                                                                agency complied with GPRA terms.\n\n\n1\n  The 2007 and 2008 FISMA files were not available for review. It does not appear the workpaper files were prepared or reviewed.\n2\n  The 2007 FMFIA file was reviewed by the Inspector General who did not meet CPE requirements to perform the role. The 2008 file was not subject to supervisory review at the time of the engagement. Review commenced\nduring peer review fieldwork in August 2010. The 2009 file was reviewed prior to peer review fieldwork commencing. The IG Counsel performed the reviews of the 2008 and 2009 files for \xe2\x80\x9cclarity and legal references\xe2\x80\x9d only, not\ncompliance with GAGAS.\n3\n  No manual or electronic workpaper files were available for peer review on the annual compliance audit performed by the OIG from 2001 through 2007.\n4\n  None of the semiannual reports reviewed for March 2006 through March 2010 explicitly stated whether OIG work products were planned or performed under GAGAS, but primarily referred to the engagements as \xe2\x80\x9caudits.\xe2\x80\x9d\n5\n  The 2009 FISMA package was submitted electronically to OMB using data transfer portal. The template report/submission packet does not contain a GAGAS reference.\n6\n  GAGAS section 1.23(b) relates to attestation engagements defined as a review that \xe2\x80\x9cConsists of sufficient testing to express a conclusion about whether any information came to the auditors\' attention on the basis of the work\nperformed that indicates the subject matter is not based on (or not in conformity with) the criteria or the assertion is not presented (or not fairly stated) in all material respects based on the criteria.\xe2\x80\x9d In the schedule Appendix A\nprepared for the peer review, the CFTC OIG staff stated repeatedly that they do not perform attestation engagements.\n                                                                                                                                                                                                                                       5\n\x0cBased on the work product assessment, we selected two audits for peer review testing; the\nReview of Agency\xe2\x80\x99s Use of Contractors (Use of Contractors) and the 2009 FMFIA (Federal\nManagers\xe2\x80\x99 Financial Integrity Act) A-123 Review. 7 Both audits contained statements in the\naudit planning documents that the work would be planned and performed in accordance with\ngenerally accepted government auditing standards. The Use of Contractors report included the\nstatement that \xe2\x80\x9cWe conducted this audit in accordance with generally accepted government\nauditing standards.\xe2\x80\x9d In addition, the FEC OIG\xe2\x80\x99s review of the CFTC OIG\xe2\x80\x99s Semiannual Reports\nto Congress shows that in March and September of 2007, CFTC OIG reported the Use of\nContractors as a current audit. 8 In March 2008, the assignment was identified in the CFTC\nOIG\xe2\x80\x99s semiannual report as a current review. When the assignment was completed, the CFTC\nOIG\xe2\x80\x99s September 2008 semiannual report identified the Use of Contractors as completed under a\nheading labeled \xe2\x80\x9cCompleted Audits and Reviews.\xe2\x80\x9d The 2009 FMFIA A-123 Review planning\nand results documents included the statement \xe2\x80\x9cWe are planning and performing this review in\naccordance with generally accepted government auditing standards.\xe2\x80\x9d Further, the CFTC OIG\xe2\x80\x99s\nMarch 2009 Semiannual Report to Congress listed the FMFIA A-123 Review on the OIG\xe2\x80\x99s audit\nagenda. In September 2009, CFTC OIG\xe2\x80\x99s semiannual report labels the FMFIA A-123 Review as\na current audit, and then in March 2010 as a completed audit.\n\nDetailed review of the two audits showed deficiencies in complying with GAGAS. The CFTC\nOIG was notified of the peer review team\xe2\x80\x99s intent to select these two audits for peer review at the\nbeginning of fieldwork, August 4, 2010, and formally notified the IG prior to the conclusion of\nfieldwork on August 18, 2010. During a meeting to discuss the results of this peer review and\ninterim findings, a CFTC staff member explained that the Use of Contractors work was\nperformed as \xe2\x80\x9cGAGAS-like.\xe2\x80\x9d The IG explained that a decision had been made to change the\nwork from a GAGAS audit to a review not subject to full \xe2\x80\x9cYellow Book\xe2\x80\x9d (GAS) audit standards\nand that the inclusion of the GAGAS performance standard statement in the final report was an\nerror that was not detected during supervisory review. We did not find any documentation in the\nworkpapers to indicate a decision by the OIG to change from GAGAS to another engagement\nstandard. Further, during an interview, the CFTC OIG Assistant Inspector General for Audit\n(AIGA) stated the decision to perform work in accordance with GAGAS is made at the audit\nplanning stage, and documented in the audit plan. The AIGA asserted no audits were planned as\nGAGAS and not completed as GAGAS.\n\nCFTC Directive No. 50, Reporting, lists \xe2\x80\x9cOIG Observations\xe2\x80\x9d as one of six report types that may\nbe produced by the OIG which differs from Formal Reporting of Audit Results because:\n\n        \xe2\x80\x9cOIG observations are the result of very limited scope reviews. When a weakness or\n        other concern comes to the attention of the OIG, the IG may determine that a quick\n        review and notification to Agency management is appropriate, rather than an audit or\n        inspection.\xe2\x80\x9d\n\n7\n  The 2009 annual financial statement audit was also selected to test monitoring of independent public accounting\n(IPA) firm monitoring.\n8\n  This naming and presentation is consistent with a prior audit, Review of the Need for a Los Angeles Office, which\nwas reported as an audit in the March and September 2006 semiannual reports, and selected for peer review in 2007.\n\n\n                                                                                                                 6\n\x0cWe note that the Use of Contractors audit was neither a limited scope nor a quick review. The\naudit was conducted over a fifteen month period from March 2007 through July 2008. The final\nreport was issued August 1, 2008. The executive summary of the final report contains the\nfollowing audit objectives:\n\n        \xe2\x80\x9cThe objective of this audit was to provide the Chairman with a complete picture of the\n        Commission\'s use of contractors and to determine whether the Agency has effectively\n        employed contractors to replace and complement its staff. More specifically, we sought\n        to ensure that the Agency was not employing contractors to perform inherently\n        governmental functions and, for the two largest contracts, was not employing contractors\n        to perform work that could be performed by agency employees at lesser cost."\n\nBased on planning documents, the stated objectives, and the time taken to plan, perform and\nreport the results, we believe the Use of Contractors audit was intended to be performed to\nGAGAS standards as indicated in CFTC OIG directives, planning documents, and the final\nreport. Due to quality control deficiencies, however, the audit failed to meet the stated standards.\n\nThe 2009 FMFIA A-123 review planning and results document stated the work would be\nperformed as a limited review, but also referenced GAGAS performance standards as follows:\n\n\xe2\x80\xa2       \xe2\x80\x9cWe are planning and performing this review in accordance with generally accepted\n        government auditing standards, and\n\xe2\x80\xa2       We will follow Generally Accepted Government Auditing Standards during this review.\xe2\x80\x9d\n\nAgain, the CFTC OIG referenced the plan to perform work in accordance with GAGAS\nstandards, but quality processes failed to detect variances from the standards in documenting and\ncommunicating findings, reporting the complete results of the audit, and the views of responsible\nofficials.\n\nRecommendations \xe2\x80\x93 The CFTC OIG should:\n\n1.a.1   improve its quality control processes, including documented policies and procedures, to\n        ensure that initial and subsequent assessments and decisions to perform work as audits,\n        inspections, investigations or limited reviews are adequately documented and retained in\n        the audit file; and\n\n1.a.2   ensure audit reports fully and accurately reflect the performance standards and include\n        modified or unmodified GAGAS compliance statements, as appropriate.\n\nCFTC OIG Response\nFEC OIG concluded that Use of Contractors was a GAGAS audit. First, FEC OIG based their\nconclusion on the planning documents and the initially stated objectives. Secondly, they based\ntheir conclusion on the amount of time taken to plan, perform and report the results of this\nreview.\n\n\n\n\n                                                                                                   7\n\x0cWe disagree with FEC OIG\xe2\x80\x99s characterization of the Use of Contractors audit as a GAGAS\naudit; however, we take responsibility for any confusion regarding the identity of this report.\nAlthough Use of Contractors was initially intended as a GAGAS audit, we later decided to\nperform this project as a review that would not be GAGAS-compliant. This decision was\nmotivated by the passage of time caused by staff turnover and the distraction of higher\npriorities.9 The decision to conduct Use of Contractors as a non-GAGAS review, instead of a\nGAGAS audit, is evidenced in our Semiannual Reports. We initially described the project as an\naudit (September 2007 CFTC OIG Semiannual Report), but changed the description in the\nMarch 2008 Semiannual Report to \xe2\x80\x9creview.\xe2\x80\x9d10 The September 2008 CFTC OIG SAR contains\nthe only public description of the completed and final Use of Contractors report issued to\nCongress or to the public, and it describes the work performed for this review (as well as our\nconclusions) in some detail, and neither mentions nor describes compliance with GAGAS.11\n\nWith regard to the time taken to plan, perform and report results, FEC OIG does not discuss\napplicable GAGAS provisions imposing time limitations for non-GAGAS audits and we are not\naware of any provisions in GAGAS (or in our own policies/procedures) that would require a\nproject to comply with GAGAS due to the passage of time. The project was intended to be a\nquick turn-around, but both staff turnover and higher priorities, including multiple interactions\nwith the Congress, resulted in the IG extending the completion date, and the Use of Contractors\ntook fifteen months.\n\nCFTC OIG\xe2\x80\x99s error was not properly amending the final report and the planning documents. We\nregret the error, and will take steps to develop and implement policies and internal controls to\nprevent such conflicting and confusing errors in the future.\n\nIn light of the decision not to perform Use of Contractors as a GAGAS audit, instances of non-\ncompliance with GAGAS are numerous. However, we disagree with FEC OIG\xe2\x80\x99s position that\nbecause of these problems that CFTC\xe2\x80\x99s report findings are inaccurate or incomplete in any way.\n\nSpecifically, the decision not to perform a comparison of contractor versus CFTC employee cost\nfor the tasks under two major contracts was a conscious one made by CFTC OIG during the\nprocess and explained in the final report on page 12. We do not believe that FEC OIG is in an\nadequate position to second guess this CFTC OIG decision.\n\nFEC OIG concludes that the 2009 FMFIA A-123 review planning and results document stated\nthe work would be performed as a limited review, but faults 2009 FMFIA A-123 because it also\nreferenced GAGAS performance standards. CFTC OIG\xe2\x80\x99s error was in not fully describing in\ndetail the scope of the limited review. To generally reference GAGAS standards without stating\nany planned limitations, even in the context of the performance of a limited review, was error.\n\n9\n  CFTC OIG Response: Specifically, in the weeks leading up to issuance of the Use of Contractors report, we\nanticipated a Senate request that would require extensive resources.\n10\n   CFTC OIG Response: The decision to alter the original audit plan was also documented informally in an email\nbetween OIG staff that was recently uncovered and previously not provided to FEC OIG.\n11\n   CFTC OIG Response: This review has never been requested under FOIA nor otherwise made public. If so\nrequested, we will provide an updated version that removes the statement regarding GAGAS compliance, with an\nexplanation citing this peer review.\n\n\n                                                                                                                 8\n\x0cWe regret these errors. Aside from the comments noted above, we otherwise agree with the\nfindings and recommendations and have initiated steps to improve CFTC OIG internal controls\nto prevent these errors in the future. These steps include revising our policies and procedures\nproviding for detailed independent referencing of all audits.\n\nFEC OIG Analysis of Response\nDue to the CFTC OIG staff\xe2\x80\x99s inability at the beginning of the peer review to clearly identify\nwhich work assignments were conducted in accordance with GAGAS, the FEC OIG conducted a\nwork product analysis to determine the GAGAS audit population for testing. The basis of the\nFEC OIG\xe2\x80\x99s conclusion for the selected audits is outlined in the table on page five and includes\nsix criteria. Contrary to CFTC OIG\xe2\x80\x99s response above, the timeframe in which the audit was\nconducted was not one of the six criteria considered for selecting audits for peer review testing;\nrather the decision was based on a preponderance of evidence. We would also like to reiterate\nthat we gave notice to the CFTC OIG at the start of fieldwork concerning which audits had been\nselected for review, and formally notified the Inspector General prior to the end of fieldwork,\nand no concerns or objections were made following these notifications.\n\nIn regards to the CFTC\xe2\x80\x99s conscious decision to not perform a cost comparison in the 2008\nReview of Agency Use of Contractors, the audit work performed by the CFTC OIG was\ninsufficient to support assertions made to the CFTC Chairman and Congress regarding the cost\nanalysis of CFTC contracts. Specifically, the audit report and a SAR to Congress states the\nCFTC OIG: \xe2\x80\x9c. . . chose to examine in detail the two largest Agency contracts resulting in the\ngreatest influx of contract employees to ensure that these tasks could not be performed by\nAgency employees at lesser cost\xe2\x80\x9d [emphasis added]. CFTC OIG\xe2\x80\x99s workpapers identified this\nobjective was achieved based on interviews. In our professional judgment, the CFTC OIG could\nnot properly perform an assessment of contractor costs based on interviews alone, but would\nhave required some cost analysis by the OIG, which was not performed.\n\nThe CFTC OIG has agreed to implement the recommendations, and the FEC OIG believes that\nthese recommendations when implemented will address the weaknesses identified.\n\nb.     Policies and procedures for supervisory review and independent referencing are not\n       adequate (repeat finding)\n\nIn the previous peer review, the team identified that policies on workpaper supervisory review\ndid not detail what specific actions would be performed by the reviewer or that independent\nreferencing would be performed as one of the steps. Our review of the CFTC OIG directives and\ndetailed testing of audits selected for peer review testing show this finding has not been\naddressed. According to GAS section 7.80c, auditors should document \xe2\x80\x9cevidence of supervisory\nreview, before the audit report is issued, of the work performed that supports findings,\nconclusions, and recommendations contained in the audit report.\xe2\x80\x9d\n\nOIG Directive No. 1, Quality Control Policies and Procedures, describes workpaper review as\nfollows:\n\n\n\n                                                                                                  9\n\x0c       \xe2\x80\x9c3) Review of work papers and report. Prior to issuance of the final report, the AIG-A\n       should provide all work papers and cross referenced report to the Inspector General or\n       designee for review and comment. In some instances, work paper review can occur after\n       a draft of the report is issued to management. The purpose of this review is to assist the\n       Inspector General in ensuring that the audit work meets all auditing standards and that\n       findings and recommendations in the report are sufficiently supported by evidence in the\n       work papers. The Inspector General\xe2\x80\x99s work paper review should be documented and, if\n       the review was completed by the Inspector General\xe2\x80\x99s designee, the Inspector of [sic]\n       General shall provide the final clearance of the designee\xe2\x80\x99s review of the work papers.\n       The Inspector General\xe2\x80\x99s initial on the cover sheet is sufficient evidence that the Inspector\n       General reviewed the work paper binder.\xe2\x80\x9d\n\nThe documented review process still does not describe what steps the reviewer will perform to\nensure that \xe2\x80\x9cthe audit work meets all auditing standards,\xe2\x80\x9d or how, other than initials on a cover\nsheet, the Inspector General (IG) will evidence review occurred at all. Further, the process\ndescribed does not require documenting the date supervisory review was performed and evidence\nit occurred prior to issuing the final report. Directive No. 30, Work Papers, states, \xe2\x80\x9cShould the\nInspector General review work papers during the audit process a listing of comments could be\nincluded in the work paper file.\xe2\x80\x9d This instruction indicates that performing or documenting\nsupervisory review of the workpapers is optional. There is no instruction requiring OIG staff\nreview and to document the steps taken to resolve each comment prior to issuing the final report.\nDirective No. 1, however, does include a Work Paper and Audit Report Quality Control Review\nChecklist with instructions that state:\n\n       \xe2\x80\x9cOIG Directive No. 1 has an attachment which is a review guide that the IG or designee\n       could use to document the review of work papers or the report (task number three in the\n       QC Policies and Procedures section). This checklist is NOT intended to be all inclusive-\n       - reviewers are encouraged to supplement the checklist.\xe2\x80\x9d [Emphasis added]\n\nThe checklist contains questions to help identify whether the audit was performed in accordance\nwith GAGAS. Item number 29 of 30 on the checklist asks \xe2\x80\x9cIs the report adequately cross\nreferenced to supporting workpapers?\xe2\x80\x9d There are no checklist items or instructions in the\npolicies and procedures directing how independent referencing should be performed and\ndocumented, who performed it, how it was determined the person was independent of the audit,\nor that the independent referencing must be completed prior to issuing the final report.\nAccording to the directive instructions, use of the term \xe2\x80\x9ccould\xe2\x80\x9d indicates the checklist is not\nmandatory and we noted a lack of data fields to record the date the review was performed or\nname of the person performing the review. Further, interview with CFTC OIG staff during peer\nreview fieldwork highlighted that the checklist was used by the person preparing the workpapers\nand not completed by the reviewer.\n\nIn order to illustrate good quality control standards, supervisory review and quality control\nchecklist completion must be performed independently from those who conducted the audit. The\ncurrent policies and procedures allow the IG to delegate supervisory review, but also notes that\n\xe2\x80\x9cthe CFTC OIG consists of 4 employees. Therefore most audits are conducted by one or two\nindividuals.\xe2\x80\x9d The quality control directive does not document a process to ensure adequate\n\n\n                                                                                                 10\n\x0csegregation of duties between those performing audits and those responsible for conducting\nsupervisory review. We noted the OIG staff member who performed supervisory review and\nindependent referencing of the Use of Contractors audit performed significant work on the audit\nand composed all of the report from an outline prepared by the AIGA. The supervision and\nreferencing were therefore not independent of the work performed and should not have been\nconducted by that individual. GAS, Appendix I, Supplementary Guidance, section A8.02a states\n\xe2\x80\x9cReferencing is a process in which an experienced auditor who is independent of the audit\nchecks that statements of facts, figures, and dates are correctly reported, that the findings are\nadequately supported by the evidence in the audit documentation, and that the conclusions and\nrecommendations flow logically from the evidence.\xe2\x80\x9d\n\nFor the Use of Contractors audit, we noted the documented supervisory review process of\ninitialing workpaper binder tabs failed to detect missing and incomplete workpapers, incomplete\nand inadequate report referencing, and factual error and internal inconsistencies in the final\nreport. The reviewer did not adequately assess and determine whether the audit evidence\nobtained was sufficient to support conclusions and recommendations in the report. None of the\naudit work performed by the reviewer was included in the audit file in paper or electronic form,\ntherefore the reviewer did not initial any workpaper tabs as preparer. When questioned, the\nperson who performed the supervisory review stated they had not received any instruction on\nworkpaper preparation, supervisory review or report referencing. The person further explained\nthat workpaper binder and report review \xe2\x80\x9cdoes not include any analysis of compliance with\nauditing standards,\xe2\x80\x9d rather the work is reviewed \xe2\x80\x9cfor clarity and legal cites.\xe2\x80\x9d\n\nRecommendations \xe2\x80\x93 The CFTC OIG should:\n\n1.b.1   amend current policies and procedures to better define supervisory review processes,\n        including which are optional and which are mandatory, to ensure compliance with\n        GAGAS;\n\n1.b.2   document and enforce control processes to ensure supervisory review is performed\n        independently of those planning, performing and reporting audit results;\n\n1.b.3   ensure staff assigned supervisory review responsibilities have adequate knowledge, skills,\n        ability and training to perform the task;\n\n1.b.4   document and enforce quality processes to ensure independent referencing is performed\n        and all comments or questions resolved prior to final report release;\n\n1.b.5   ensure adequate documentation is retained to support the fact that independent\n        referencing was performed;\n\n1.b.6   consider outsourcing independent referencing to another OIG or contractor to ensure\n        adequate separation between those performing audit work and referencing of reports; and\n\n1.b.7   consider transitioning to electronic workpapers to support adequate segregation of duties\n        between those conducting audits and those performing supervisory review.\n\n\n                                                                                               11\n\x0cCFTC OIG Response\nFEC OIG states that, for the Use of Contractors report, the supervisory review process pertaining\nto workpaper binder tabs \xe2\x80\x9cfailed to detect missing and incomplete workpapers, incomplete and\ninadequate report referencing, and factual error and internal inconsistencies in the final audit.\xe2\x80\x9d\nFEC OIG supplied no details to CFTC OIG in this report or any other means regarding what\nworkpapers were missing/incomplete, or regarding what factual errors and internal consistencies\nwere found. Therefore we cannot respond to these assertions.\n\nDue to low staffing levels, everyone assisted with the completion of the Review of Contractors,\nand independent referencing was not performed for this non-GAGAS project. The binders\ncreated for this non-GAGAS report were never reviewed for compliance with GAGAS.12 We did\nnot believe these processes would be necessary for this non-GAGAS review. We determined that\nthis level of effort was not warranted given staffing levels, and by the issues addressed in this\nproject.\n\nWe will perform independent referencing for all future audits through the use of another OIG or\ncontractors. Moreover, we will seek to increase staff sufficient to achieve these and other goals.\nWe have obtained an electronic workpaper system and will transition to this system immediately.\nWe are working with a former Inspector General who was head of the Peer Review Committee\nfor the Executive Council on Integrity and Efficiency to enhance and implement our remediation\nplan. We will update and improve our policies and procedures as part of our remediation.\n\nWe agree with the recommendations under section 1.b, except for 1.b.2. At item 1.b.2, FEC OIG\nrecommends that supervisory review be performed independently of those planning, performing\nand reporting audit results. We agree that GAGAS requires independent referencing to be\nperformed by a qualified reviewer who has not participated in the audit; however, we believe\nsupervision should be ongoing throughout the audit process, with the supervisor actively\noverseeing (i.e., supervising) the planning, performing and reporting of audit results. We believe\nthat GAGAS does not require audit supervision to be conducted by someone with no\ninvolvement with the audit, and FEC OIG does not provide a citation to GAGAS for this\nrecommendation.\n\nFEC OIG Analysis of Response\nCFTC OIG states in their response that the FEC OIG \xe2\x80\x9csupplied no details to CFTC OIG . . .\nregarding what workpapers were missing/incomplete, or regarding what factual errors and\ninternal [in]consistencies were found.\xe2\x80\x9d In fact, the FEC OIG did provide to the CFTC OIG\nspecific examples during the peer review fieldwork on the lack of documentation regarding\ninterview write-ups, sampling methodology, sample selection, and reporting discrepancies. In\naddition, repeated attempts were made to obtain an understanding of the reason for missing\nand/or incomplete workpapers through direct interviews with the CFTC AIGA and Counsel.\nFurther, these issues were brought to the CFTC OIG\xe2\x80\x99s attention and provided in writing during\nour peer review discussion meeting held on August 27, 2010 with the CFTC\xe2\x80\x99s IG, AIGA, and\n12\n  CFTC OIG Response: Our practice is to create and maintain electronic workpapers for all OIG projects, and to\nprint the electronic workpapers prior to issuance. Consistent with this practice, electronic workpapers were created\nduring 2007-2008 for the Use of Contractors review, In preparation for the peer review, we could not locate the\nprinted and bound copies of the workpapers so new copies were printed and bound in 2010 for this peer review.\n\n\n                                                                                                                   12\n\x0cCounsel, as well as the peer review exit conference. Unfortunately, for reasons unknown to the\nFEC OIG, the CFTC OIG was ill prepared to discuss the details of the peer review results at\nthese meetings, even though the CFTC OIG had been provided written documentation by the\npeer review team in advance of the meetings.\n\nIn regards to CFTC\xe2\x80\x99s exception to recommendation 1.b.2, this recommendation refers to\nsupervisory review rather than independent referencing. The FEC OIG agrees that supervisory\nreview should be ongoing throughout the audit process. GAGAS 7.53 states: \xe2\x80\x9cAudit supervision\ninvolves providing sufficient guidance and direction to staff \xe2\x80\xa6reviewing the work performed,\nand providing effective on-the-job training.\xe2\x80\x9d To comply with GAGAS 7.53 in reviewing the\nwork performed by the staff (supervisory review), the reviewer should be independent of the\nstaff performing the audit. As with the Review of Agency Use of Contractors audit, the CFTC\nOIG staff person who performed supervisory review also performed detailed testing and played a\nsignificant role in composing the audit report. Simply stated, supervisory review is the\nsupervision of others responsible for conducting the audit. Although we recognize the CFTC\nOIG is a small office, we believe appropriate supervision could have been performed to adhere to\nGAGAS.\n\nThe FEC OIG encourages the CFTC OIG to take all recommendations in consideration to\nimprove the indentified weaknesses.\n\nc.     Policies and procedures do not reference independence standards\n\nThe CFTC OIG had an actual impairment to independence during this peer review period\nrelating to its ability to independently select the independent public accounting (IPA) firm to\nperform the Commission\xe2\x80\x99s annual financial statement audit. For the fiscal year (FY) 2009 audit,\nthe CFTC Contacting Officer and Chairman selected an IPA firm against the recommendation of\nthe Inspector General (IG). The external impairment restricting the OIG from selecting the IPA\nwas cured in FY 2010 by outsourcing OIG contracting officer support to the Department of\nInterior. Currently, the CFTC OIG policies and procedures are silent with respect to assessing\nboth internal and external independence impairments.\n\nGAS section 3.53b states, \xe2\x80\x9cAn audit organization should include policies and procedures in its\nsystem of quality control that collectively address: Independence, legal, and ethical\nrequirements: Policies and procedures designed to provide reasonable assurance that the audit\norganization and its personnel maintain independence, and comply with applicable legal and\nethical requirements.\xe2\x80\x9d\n\nRecommendations \xe2\x80\x93 We note that corrective actions have been taken by the CFTC to ensure OIG\nindependence in selecting the IPA to perform the annual financial statement audit in 2010. The\ncontract option years do not require competition for IPA selection until 2014. To ensure future\nindependence impairments are adequately assessed and addressed, we recommend that CFTC\nOIG:\n\n\n\n\n                                                                                                 13\n\x0c1.c.1   comply with GAS 3.11 and \xe2\x80\x9cinclude policies and procedures for identifying and\n        resolving external impairments as part of their quality control system for compliance with\n        GAS independence requirements;\xe2\x80\x9d and\n\n1.c.2   formally document its policies and procedures for assessing and reporting potential\n        internal independence impairments in accordance with GAS 3.08.\n\nCFTC OIG Response\nWe are pleased that FEC OIG found that CFTC OIG cured an external impediment to OIG\nindependence. Our efforts to alleviate the impairment included the submission of memos to\nAgency and Congressional staff, as well as meetings and discussions with Agency staff and\nCongressional staff. We agree to the findings and recommendations and will include policies and\nprocedures for identifying and resolving external impairments as part of our quality control\nsystem and will formally document policies and procedures for assessing and reporting potential\ninternal impairments in accordance with GAS requirements.\n\nFEC OIG Analysis of Response\nThe CFTC OIG has agreed to implement the recommendations, and the FEC OIG believes that\nthese recommendations when implemented will address the weaknesses identified.\n\nd.      Reporting on annual analysis of monitoring processes\n\nGAS 3.54 states audit organizations should \xe2\x80\x9canalyze and summarize the results of its monitoring\nprocedures at least annually, with identification of systemic issues needing improvement, along\nwith recommendations for corrective action.\xe2\x80\x9d According to CFTC OIG staff, the analysis was\nperformed and no systemic issues were identified; however, a summary or report of analysis was\nnot prepared due to competing priorities.\n\nRecommendation \xe2\x80\x93 The CFTC OIG should:\n\n1.d.1   plan, conduct, and monitor analysis of monitoring procedures, at least annually, to\n        evaluate:\n\n        \xe2\x80\xa2    adherence to professional standards;\n        \xe2\x80\xa2    whether the quality control system has been appropriately designed; and\n        \xe2\x80\xa2    whether quality policies and procedures are operating effectively and complied with\n             in practice.\n\nCFTC OIG Response\nWe agree with the findings and consistent with GAS 3.54 we will implement the recommendation.\n\nFEC OIG Analysis of Response\nThe CFTC OIG has agreed to implement the recommendation, and the FEC OIG believes that\nthis recommendation when implemented will address the weakness identified.\n\n\n\n\n                                                                                                14\n\x0c2.     Deficiency \xe2\x80\x93 System of Quality Control Compliance\n\nThe CFTC OIG staff did not comply with its documented quality control procedures. We noted\nthe following compliance deficiencies during peer review testing:\n\na.     Preparing and retaining workpapers\n\nThe CFTC OIG does not use electronic audit software to create and maintain workpapers and\naudit files. Instead workpapers are prepared electronically and then printed and consolidated into\naudit files. The CFTC OIG Directive 30, Work Papers, defines the policies and procedures for\nboth manual and electronic workpaper creation, audit file preparation and indexing. Directive\n70, Recordkeeping, Retention Schedule, and FOIA, describes audit file retention and disclosure\nprocesses. We found that the OIG did not comply with the directives and failed to prepare\nworkpaper files for several audits. GAS section 7.80a-c states, \xe2\x80\x9cUnder GAGAS, auditors should\ndocument the following: a) the objectives, scope, and methodology of the audit; b) the work\nperformed to support significant judgments and conclusions, including descriptions of\ntransactions and records examined; and c) evidence of supervisory review, before the audit report\nis issued, of the work performed that supports findings, conclusions, and recommendations\ncontained in the audit report.\xe2\x80\x9d\n\nAfter being informed that there were no workpaper files for the GPRA reviews performed\nannually from 2001 through 2007, we asked to see other workpaper files that might have been\nsubject to our peer review testing. The CFTC OIG was unable to provide the 2007 and 2008\nFISMA (Federal Information Security Management Act) files and volunteered that the 2008\nFMFIA A-123 review had not been subject to supervisory review. When questioned about when\nthe workpaper folders presented for peer review were physically assembled and signed as\nprepared and reviewed, a CFTC OIG staff member informed us that the files were prepared \xe2\x80\x9ca\ncouple of weeks\xe2\x80\x9d prior to the start of the peer review fieldwork, 13 and also stated another OIG\nmember worked on the weekends prior to peer review fieldwork commencing to get the\nworkpapers printed, filed in folders, and prepared for supervisory review. The individual then\nprovided an email which showed the Use of Contractors file had supervisory review performed\nby the OIG\xe2\x80\x99s Attorney-Advisor on August 2, 2010, the day before peer review fieldwork\ncommenced. The staff member also stated that both the 2009 FMFIA and 2009 FISMA folders\nwere recently signed as reviewed. The 2009 FMFIA workpapers were augmented in June and\nJuly 2010 to document the work performed by the OIG in September and October 2009. Based\non the information provided, it is evident the CFTC OIG is not compliant with its policies and\nprocedures and did not prepare workpaper files as a standard practice.\n\nAs stated previously, supervisory review by the CFTC OIG is evidenced by manually signing\nworkpaper folder tabs. If the OIG does not prepare manual workpaper files and include all\nsupporting records of work performed, then the OIG cannot ensure adequate supervisory review\nis performed or that all official records are retained.\n\n\n13\n  The CFTC OIG was contacted on May 27, 2010 to communicate the FEC OIG\xe2\x80\x99s assignment as peer reviewer and\nto discuss the timing of fieldwork.\n\n\n                                                                                                       15\n\x0cRecommendations \xe2\x80\x93 The CFTC OIG should:\n\n2.a.1   prepare workpaper files for all OIG work products at the time work is performed and\n        retain them in accordance with OIG and National Archives and Records Administration\n        (NARA) record retention standards;\n\n2.a.2   obtain and maintain adequate documentation on the dates workpapers are prepared and\n        reviewed; and\n\n2.a.3   ensure all workpapers are prepared and approved prior to the issuance of the final reports\n        to the CFTC.\n\nCFTC OIG Response\nWe agree with the findings and will implement the recommendations for all future audits.\nHowever, several FEC OIG statements are incorrect, or not apt. Specifically:\n\n        - While CFTC OIG did not comply with internal policies and procedures pertaining to\n        workpapers before issuing reports, workpapers needed to support each report were\n        created as part of ongoing fieldwork and completed before each report was issued.\n\n        - Except for the workpapers for the 2007 and 2008 FISMA reports, workpapers were\n        provided to FEC OIG when requested. We have since located the original 2007 FISMA\n        file \xe2\x80\x93 a 2 inch binder of workpapers. The workpaper binder for the 2008 FISMA Audit \xe2\x80\x93\n        also a two inch binder \xe2\x80\x93was not located, and has been constructed from the existing\n        electronic files created in 2008.\n\n        - With regard to GPRA we would note that our GPRA work was not presented to FEC\n        OIG as a GAGAS audit subject to peer review under GAS. The time period cited by FEC\n        OIG \xe2\x80\x93 2001 to 2007 \xe2\x80\x93 includes several years outside the scope of this peer review. (We\n        would note that our GPRA work was neither addressed nor criticized in the peer reviews\n        performed on CFTC OIG in 2001, 2004, and 2007).\n\n        - CFTC OIG\xe2\x80\x99s GPRA work was the responsibility of the former CFTC Deputy Inspector\n        General. He retired in 2007. We did not believe it advisable to present the GRPA work\n        that was completed during the period of this review (October 2006-March 2007) mainly\n        because, as non-GAGAS work, it fell outside the scope of this peer review.\n\nFEC OIG Analysis of Response\nDuring the peer review fieldwork, the CFTC OIG failed to provide workpapers of two interviews\nconducted during the Use of Contractors audit; six other interview workpapers were not filed in\nthe official audit file for review by the peer review team, but were later provided by the AIGA\nwhen requested by the FEC OIG. Based on these examples and the work we performed during\nthe peer review, we stand by our statement that workpapers were not prepared in a timely\nmanner.\n\n\n\n\n                                                                                                16\n\x0cThe 2007 GPRA report prepared for the March 2008 Semiannual Report (SAR) to Congress was\nwithin the scope of the current peer review. As presented in the SAR, the FEC OIG believed the\nwork could be subject to GAGAS testing as an attestation engagement due to the CFTC OIG\xe2\x80\x99s\nreporting statement to Congress: \xe2\x80\x9cBased upon those reviews, the OIG has determined that the\nCommission has complied with GPRA\xe2\x80\x99s terms.\xe2\x80\x9d The lack of files to support the positive\nassurance presented in the SAR to Congress raised additional concerns with respect to the CFTC\nOIG\xe2\x80\x99s ability to determine the type of work performed and minimum quality standards under\nwhich it could be performed.\n\nThe CFTC OIG has agreed to implement the recommendations, and the FEC OIG believes that\nthese recommendations when implemented will address the weaknesses identified.\n\nb.     Continuing professional education (CPE) requirements and documentation (repeat\n       finding)\n\nGAS states in section 3.48 that \xe2\x80\x9cThe audit organization should have quality control procedures to\nhelp ensure that auditors meet the continuing education requirements, including documentation\nof the CPE completed.\xe2\x80\x9d The Inspector General (IG) did not meet the GAS 80 hour CPE\nrequirement for the two year period January 1, 2007 through December 31, 2008. Further, the\nIG did not meet the GAS minimum requirement of 20 hours of training in 2009. Our review\nidentified the IG as conducting interviews for one audit selected for peer review, as well as\nsigning all reports or memoranda to management and the Chairman communicating the results of\nthe audits. The IG also stated he reviews all audit files, but does not sign-off as the reviewer.\nAccording to GAS, these are functions that require adherence to the GAS CPE requirements.\nThis was also a finding identified in the prior peer review. During the 2007 peer review, neither\nthe IG nor the former Deputy Inspector General met the 80 hour CPE requirement.\n\nWe also found the CFTC OIG did not have adequate documentation to support the CPEs\nreported for the IG or other staff. In response to the prior peer review report finding regarding\nlack of adequate documentation of CPE training attended, the CFTC OIG proposed the following\nremediation strategy:\n\n       \xe2\x80\x9cThe Office of Inspector General will enhance its record keeping of the Continuing\n       Professional Education (CPE) courses and hours for its staff. All staff members will\n       supply to the administrative person all certificates and records of attendance at all CPE\n       courses. In addition, each staff member is responsible for logging into a centralized MS-\n       Excel spreadsheet all pertinent details associated with any relevant CPE course work.\xe2\x80\x9d\n\nOur review of the centralized spreadsheet and supporting documentation again identified that\nstaff did not obtain or maintain adequate support for training attended. Further, the CFTC OIG\ndid not establish a two year reporting cycle and staff differed in how they applied the two year\nreporting period: some reported based on a fiscal year, others on a calendar year cycle.\n\n\n\n\n                                                                                               17\n\x0cRecommendations \xe2\x80\x93 The CFTC OIG should:\n\n2.b.1      take steps necessary to ensure the staff meets their responsibilities for CPE requirements\n           and maintain documentation, as described by GAS, supporting CPE hours earned.\n\nBecause the prior finding has not been cleared by the practice to maintain a centralized\nspreadsheet, the following additional controls are recommended for the CFTC OIG:\n\n2.b.2      Staff required to comply with the GAS standards should include the requirement in their\n           annual performance plans and monitor progress towards meeting the training objectives\n           quarterly;\n\n2.b.3 Staff should only record CPEs for training that qualify as CPE under GAS; 14\n\n2.b.4      Adequate funds for training should be requested in order to meet the training\n           requirements. The current annual budget of $5,000 for all staff may not be sufficient; and\n\n2.b.5      The centralized spreadsheet should be reviewed quarterly to ensure staff are on track to\n           meet annual and biennial training requirements, as well as verify that adequate\n           documentation to support CPEs reported in the spreadsheet are maintained.\n\nCFTC OIG Response\nWe agree with the findings and will implement the recommendations. With regard to item 2.b.4.,\nadditional funding will be requested only to the extent we are able to document the need. We would\npoint out that, although the Inspector General has not participated in an abundance of classroom\ntraining during the peer review period, he has attended numerous professional meetings, including\nmonthly meetings for the Inspectors General for the financial regulators (both prior and subsequent\nto passage of the Dodd-Frank Act), in which ongoing legal and regulatory issues applicable to the\nagency and the IG community were discussed.\n\nFEC OIG Analysis of Response\nThe CFTC OIG has agreed to implement the recommendations, and the FEC OIG believes that\nthese recommendations when implemented will address the weaknesses identified. Further, the\nFEC OIG believes the results of this peer review are a reasonable basis to document the need for\nadditional funding to ensure the CFTC OIG complies with the GAGAS CPE requirements.\n\nc.         Reports made available to the public\n\nThe CFTC OIG does not make audit reports available to the public via the internet when the\nreports are issued to the public, as required by the IG Reform Act of 2008 (IG Act). Specifically,\nthe OIG\xe2\x80\x99s contracted annual financial statement audit reports are not available on the OIG\xe2\x80\x99s\nwebsite. These annual audit reports are included in the agency\xe2\x80\x99s annual Performance and\nAccountability Reports, which are made available to the public. As a result, the OIG has failed\nto adhere to the IG Act requirement that \xe2\x80\x9cnot later than 3 days after any report or audit (or\n\n14\n     GAS, Guidance on GAGAS Requirements for Continuing Professional Education,\xe2\x80\x9d GAO-05-568G, April 2005.\n\n\n                                                                                                        18\n\x0cportion of any report or audit) is made publicly available, post that report or audit (or portion of\nthat report or audit) on the website of the Office of Inspector General.\xe2\x80\x9d We noted that other\nreports are available on the OIG\xe2\x80\x99s website, primarily Semiannual Reports to Congress, but no\naudit reports are available on the OIG\xe2\x80\x99s publicly accessible internet website.\n\nCFTC OIG Directive No. 50 states:\n\n        \xe2\x80\x9cThe Administrative Assistant will distribute the final audit report to the auditee, the\n        Chairman, and other appropriate members of CFTC management. Audit reports are\n        written with disclosure to the public in mind; see section 8.05 of the Government\n        Auditing Standards, July 2007 Revision. In accordance with the IG Reform Act of 2008,\n        an audit is posted to the CFTC OIG website not later than 3 days after the report is made\n        publicly available. 5 U.S.C. App. 3 Sec. 8L.\xe2\x80\x9d\n\nBased on these facts, the CFTC OIG is not compliant with its own policies and procedures for\nmaking reports available in accordance with the IG Reform Act.\n\nRecommendation \xe2\x80\x93 The CFTC OIG should:\n\n2.c.1   make its reports available to the public in accordance with internal policies, procedures,\n        and the IG Reform Act of 2008.\n\nCFTC OIG Response\nWe agree with the findings and recommendations. A link to the financial statement audit has\nbeen added to the CFTC OIG webpage.\n\nFEC OIG Analysis of Response\nThe FEC OIG believes the CFTC OIG has taken steps in the right direction to implement this\nrecommendation.\n\nd.      Audit planning control assessment was not performed or documented (repeat finding)\n\nGAS section 7.16, Field Work Standards for Performance Audits, indicate that auditors should\nobtain an understanding of internal controls significant to the audit objective. If the auditor\ndetermines that certain standards do not apply, or if an applicable standard is not followed, the\nreason therefore, and the known effects of not following the applicable standard should be\ndocumented. The GAS Reporting Standard for Performance Audits states that auditors should\ninclude in the audit report, the scope of their work on internal controls, any significant\ndeficiencies found during the audit and any departures from GAS. During our review of the\nworkpapers for the Use of Contractors audit we found that the CFTC OIG did not document an\nassessment of internal controls. Further, it was not documented in the workpapers or the audit\nreport that internal controls were not assessed. This finding was also reported in the prior peer\nreview conducted by the NEH OIG in 2007.\n\nThe Use of Contractors audit \xe2\x80\x9csought to ensure that the Agency was not employing contractors\nto perform inherently governmental functions and, for the two largest contracts, was not\n\n\n                                                                                                   19\n\x0cemploying contractors to perform work that could be performed by agency employees at lesser\ncost.\xe2\x80\x9d Both the Executive Summary and the Objectives, Scope and Methodology sections of the\nfinal audit report indicated that a detailed cost benefit analysis would be, and had been\nperformed, for the two contracts selected for detailed review. The Conclusion section of the\naudit report, however, stated that a detailed analysis was not performed based on opinions of\nthose interviewed. Legal criteria is documented in the audit report and file, however OIG staff\ndid not use that criteria to assess whether or not the agency had adequate internal controls to\nensure services that were considered \xe2\x80\x9cinherently governmental\xe2\x80\x9d were not contracted to external\nproviders.\n\nRecommendations \xe2\x80\x93 The CFTC OIG should:\n\n2.d.1   conduct adequate audit planning and sufficiently assess internal controls, audit risk, and\n        user needs;\n2.d.2   plan and perform audit testing to meet GAS requirements and user needs;\n2.d.3   clearly document planning decisions and deviations from GAS in the audit file and\n        report; and\n2.d.4   employ an experienced auditor to augment the current non-audit OIG staff.\n\nCFTC OIG Response\nThe Executive Summary for the Use of Contractors report stated that OIG sought to \xe2\x80\x9censure that\nthe Agency. . . for the two largest contracts, was not employing contractors to perform work that\ncould be performed by agency employees at lesser cost.\xe2\x80\x9d The Objectives, Scope and\nMethodology section stated that OIG sought \xe2\x80\x9cto ascertain whether the services obtained through\n[the two largest contracts] could be obtained in equal measure through CFTC full time\nemployees and, if so, whether the use of contractors in place of full time employees was cost-\neffective.\xe2\x80\x9d The Report made clear that cost was a concern to be addressed, but did not state that a\ndetailed cost benefit analysis had been performed, and though we were aware that examination\nof the Agency\xe2\x80\x99s use of contractors may require a cost comparison \xe2\x80\x93 not cost benefit analysis -,\nultimately we concluded that even a cost comparison was not needed. We fail to understand how\nFEC OIG can claim that both the Executive Summary and the Objectives, Scope and\nMethodology sections of the final audit report indicated that a detailed cost benefit analysis\nwould be, and had been performed, because they do not provide any reference to the text.\nHowever, we agree that our decision not to perform a cost comparison should have been\ndocumented in the work papers even though the decision was clearly explained in the report.\n\nThe Report explained:\n\nIf the task requires unusual expertise such that qualified individuals cannot be obtained at CT\npay levels, or if the work is temporary in nature, it may be impossible or impracticable to find\nindividuals willing to work for CT pay or on a temporary basis. If that is the case, it will be\nappropriate to hire contract employees.\n\n\n\n\n                                                                                                   20\n\x0cWith regard to the two largest contracts, CFTC OIG concluded that the services procured required\nsufficiently unusual expertise (i.e., computer programming) or work of a temporary nature (i.e., both\ncomputer programming and help desk services for successive IT systems and processes used at\nCFTC), to warrant treatment of both services as necessitating the use of contractors rather than full\ntime employees. That is, in order to transition to successive systems for programming and help desk\nservices, contractors would be able to provide constant and rapidly evolving services, while full time\nemployees would require constant retraining that would result in a sacrifice of speed and efficiency,\nwith little to no benefit associated with prior experience with defunct Agency IT systems.\nConsequently, we determined that the Agency\xe2\x80\x99s need to be able to quickly transition to new systems\nmandated the use of contract employees and that the work performed under these contracts could\nNOT be provided in equal measure by full time employees,15 and stated our conclusion in the section\ntitled \xe2\x80\x9cConclusions.\xe2\x80\x9d We disagree with the FEC\xe2\x80\x99s statement that a cost-benefit analysis was\nnecessary.\n\nUse of Contractors ultimately was not conducted as a GAGAS audit. Accordingly, at footnote 18, the\nReport stated: \xe2\x80\x9cDuring this review we chose not to examine the internal controls associated with\nproducing help-desk data such as frequency of service calls.\xe2\x80\x9d We did not address our decision\nwhether to examine controls associated with other Agency functions involved with our review, and\nagree that standards applicable to GAGAS-compliant audits would require more detailed treatment of\nAgency controls. During our field work for Agency Use of Contractors, we determined the level of\neffort necessary to test Agency controls would not bring value to the project, which had a narrow\npurpose.\n\nWe agree with the findings (as tempered by our comments, above) and will implement the\nrecommendations for all future audits.\n\nFEC OIG Analysis of Response\nWe acknowledge the Use of Contractors audit report did not specifically indicate that a detailed\ncost-benefit analysis would be performed. However, our conclusion remains unchanged; the\naudit work performed was insufficient to achieve the stated objectives, as required by GAGAS.\nThe CFTC OIG\xe2\x80\x99s Semiannual Report to Congress at the completion of the audit stated that\nCFTC OIG \xe2\x80\x9c. . . chose to examine in detail the two largest Agency contracts resulting in the\ngreatest influx of contract employees to ensure that these tasks could not be performed by\nAgency employees at lesser cost\xe2\x80\x9d [emphasis added]. In addition, the Objectives, Scope, and\nMethodology section of the audit report for the Use of Contractors states \xe2\x80\x9c. . . ascertain whether\nthe services obtained through these contracts could be obtained in equal measure through CFTC\nfull time employees and, if so, whether the use of contractors . . . was cost effective.\xe2\x80\x9d In order\nto be in compliance with GAGAS 1.29, which states, \xe2\x80\x9cAudit objectives that focus on economy\n\n\n15\n   CFTC OIG Response: Granted, our analysis was based mostly on interviews of CFTC employees; however, we\ndid not limit our interviews to CFTC employees with an interest in the outcome of our review. In addition to CFTC\nIT managers (who arguably might seek affirmation that the use contract employees was proper), we interviewed\nusers who depend on CFTC IT services to monitor the markets and enforce the Commodity Exchange Act. We also\ninterviewed current CFTC employees who had previously performed the same services now performed under the\ntwo largest contracts (starting either as full time or contract employees), but had transitioned to other full-time work\nat CFTC.\n\n\n                                                                                                                     21\n\x0cand efficiency address the costs and resources used to achieve program results,\xe2\x80\x9d a cost\ncomparison or analysis should have been performed to achieve the CFTC OIG\xe2\x80\x99s audit objective.\n\nIn regards to the intended scope of the Use of Contractors audit, based on the CFTC OIG\xe2\x80\x99s\nplanning documents and Executive Summary of the audit report, CFTC OIG\xe2\x80\x99s objective \xe2\x80\x9c. . .\nwas to provide the Chairman with a complete picture of the Agency\xe2\x80\x99s use of contractors . . .\xe2\x80\x9d\n[emphasis added]. This objective concludes that the audit was not intended to have a narrow\npurpose.\n\nThe FEC OIG encourages the CFTC OIG to take all recommendations in consideration to\nimprove the indentified weaknesses, and to also comply with GAGAS 1.29 for future audits that\ninclude objectives related to economy and efficiency.\n\ne.     Audit evidence and documentation\n\nNumerous deficiencies in audit evidence and documentation were noted in the Agency\xe2\x80\x99s Use of\nContractors audit workpapers. First, the audit relied nearly exclusively on testimonial evidence.\nThe audit planning for the Use of Contractors audit did not identify sources of audit evidence and\ndetermine the amount and type of evidence needed given audit risk and significance. GAS\nsection 7.55 requires auditors to \xe2\x80\x9c\xe2\x80\xa6 obtain sufficient, appropriate evidence to provide a\nreasonable basis for their findings and conclusions.\xe2\x80\x9d It does not appear the audit team\nadequately assessed the nature and profile of the program and the needs of potential users of the\naudit report. For the two contracts selected for detailed review by the CFTC OIG, the report did\nnot convey the relative costs and staffing levels for the periods when CFTC employees were\nused compared to the current model of fully contracted services. Further, the report did not\ndescribe current and forward year contract costs or staffing levels compared to projected costs if\nCFTC had retained employees or chose to convert the contracts back to the federal employees.\nThe information on number of employees, relative costs of employees compared to contractors,\ncurrent and forward year contract costs, and analysis between the two options was necessary to\nmeet the stated audit objective that \xe2\x80\x9cfor the two largest contracts, was not employing contractors\nto perform work that could be performed by agency employees at lesser cost.\xe2\x80\x9d\n\nThe team did not perform sufficient work to evaluate the objectivity, credibility, and reliability of\ntestimonial evidence. Some of the testimonial evidence was not located in the audit file, but was\nproduced during the peer review. Other testimonial evidence referenced in the audit file could\nnot be located. Detailed review of some interviews by the peer review team showed\ninconsistencies between information presented as fact in interviews, compared to contract\ninformation and summary schedules present in the workpapers.\n\nThe audit workpapers did not include documentation to describe the sampling method used and\nwhether or not the method was appropriate for the audit objectives. Further, the audit file did not\ninclude documentation describing the analysis or testing performed on 235 contracts initially\nreviewed to obtain the sample of 65 contracts described in the audit report. There is also no\ndocumentation in the file to support that the OIG staff performed sufficient work to determine\nthe reliability of information obtained from the Contracting Officer used as the initial population\nfor detailed testing. In addition, OIG staff did not clearly document the work performed to\n\n\n                                                                                                  22\n\x0csupport significant judgments and conclusions, including descriptions of transactions and records\nexamined. The detail on whether or not the 65 contracts were tested as inherently governmental\nis not documented in the workpapers.\n\nThe workpapers did not include internal referencing or summary workpapers to enable an\nexperienced auditor to understand the nature, timing, and extent of work performed. Only by\nperforming a detailed review of the limited audit file and holding repeated interviews with OIG\nstaff was the peer review team able to understand the extent of work performed for the Use of\nContractors audit.\n\nOIG staff did not ensure all mandatory or presumptively mandatory16 GAGAS requirements\nwere met or achieved by alternate procedures in accordance with GAS section 1.12a. In\naddition, the reasons for departures from GAGAS requirements were not documented in\naccordance with GAS section 1.12b.\n\nFor the 2009 FMFIA A-123 audit, findings and recommendations were not developed for the\naudit. Instead, the OIG staff member documented comments on CFTC control assessments\nwhere exceptions were noted, and the OIG communicated them verbally to management.\nResponses from management to the OIG were also received verbally and not documented in the\naudit file. The OIG staff member did not prepare a comment sheet on each control assessment\nreviewed. Instead, comment sheets were only prepared for control assessments if a deficiency\nwas noted. This practice could not allow the person conducting supervisory review to determine\nwhether all control assessments had been reviewed by the OIG and that the testing was complete.\n\nRecommendations \xe2\x80\x93 The CFTC OIG should:\n\n2.e.1   require staff attend audit training to ensure they plan for, obtain, and prepare adequate\n        audit evidence to comply with the GAS standards;\n\n2.e.2   develop findings and clearly document the communication of the findings to\n        management, and management\xe2\x80\x99s agreement or disagreement with the findings;\n\n2.e.3   retain the information on communicated findings, management\xe2\x80\x99s response, corrective\n        actions taken by management, and OIG verification of corrective actions in the audit file,\n        and also include the information in the audit report, where applicable.\n\n\n\n\n16\n   GAS 1.07 defines the two categories of professional requirements, identified by specific terms, to describe the\ndegree of responsibility they impose on auditors as follows: a) unconditional requirements associated with the words\nmust or is required, and b) presumptively mandatory requirements associated with the word should. Under the\nstandard, \xe2\x80\x9cAuditors and audit organizations are required to comply with presumptively mandatory requirements in\nall cases where the requirement applies; however, in rare circumstances, auditors and audit organizations may depart\nfrom a presumptively mandatory requirement provided they document their justification for the departure and how\nthe alternative procedures performed in the circumstances were sufficient to achieve the objectives of the\npresumptively mandatory requirement.\xe2\x80\x9d\n\n\n                                                                                                                 23\n\x0cCFTC OIG Response\nFEC OIG states: \xe2\x80\x9c[t]he team did not perform sufficient work to evaluate the objectivity,\ncredibility, and reliability of testimonial evidence.\xe2\x80\x9d We would point out that we did note in the\nreport the unanimity among help desk users, all of whom stated they were satisfied with the level\nof assistance obtained from the contract help desk workers, as well as the unanimity among\nformer help desk employees who had transitioned to other Agency jobs and uniformly opined the\njob was more suitable for contractors due to the need to update the skill set on the help desk to\nkeep pace with evolving Agency systems. Certainly help desk users and former help desk\nemployees were questioned in order to, among other things, reveal inaccuracies and any possible\nbias in the statements given by IT management (who might be presumed to harbor a bias in favor\nof the correctness of their contracting decisions in the IT area). In the absence of disagreement\nacross the various players (help desk users, IT management and former help desk employees),\nwhich we believed to be an indicator of credibility, we were not inclined to devote further\nresources to test credibility and reliability.\n\nFEC OIG states: \xe2\x80\x9c[d]etailed review of some interviews by the peer review team showed\ninconsistencies between information presented as fact in interviews, compared to contract\ninformation and summary schedules present in the workpapers.\xe2\x80\x9d Because FEC OIG did not\ndescribe the substance of any interview they believed to be inaccurate, and did not describe the\nmaterials in the record that, in their mind, created an inconsistency, we disagree and cannot\nrespond. We interviewed over 30 people for this review, and do not know which ones FEC OIG\noppose. We also note FEC OIG does not indicate whether the perceived inaccuracies were\nrelevant and material to the findings and recommendations in the report.\n\nFEC OIG states: \xe2\x80\x9c[t]here is \xe2\x80\xa6no documentation in the file to support that the OIG staff\nperformed sufficient work to determine the reliability of information obtained from the\nContracting Officer used as the initial population for testing.\xe2\x80\x9d We would note that FEC OIG was\nincorrect that the initial population for our testing was provided by the Contracting Officer. We\ndirectly accessed the CFTC contracts data base to select our initial sample. Moreover, the\npopulation of CFTC contracts is reviewed each year as part of the financial statement audit. We\ndid not believe it necessary or efficient to repeat the exercise for this review. However, we agree\nthat our decision not to perform additional work to determine the reliability of information\nobtained from the CFTC contracts data base and reasons therefore should have been documented\nin the work papers.\n\nTo the extent FEC OIG addresses the lack of a cost-benefit analysis in the Use of Contractors\nreport, we repeat our previous statements regarding this issue.\n\nWe agree (except as noted above) with the findings and will implement the recommendations for\nall future audits.\n\nFEC OIG Analysis of Response\nThe FEC OIG is encouraged by the CFTC\xe2\x80\x99s agreement to implement improvements to their audit\nprocess. It is our professional judgment that the CFTC OIG did not perform sufficient work to\nevaluate the objectivity, credibility, and reliability of testimonial evidence to achieve their stated\nobjective: \xe2\x80\x9c\xe2\x80\xa6for the two largest contracts, was not employing contractors to perform work that\n\n\n                                                                                                   24\n\x0ccould be performed by agency employees at lesser cost.\xe2\x80\x9d When using testimonial evidence,\nGAGAS states:\n\xe2\x80\xa2      7.61- Testimonial evidence may be useful in interpreting or corroborating documentary\n       or physical information. Auditors should evaluate the objectivity, credibility, and\n       reliability of the testimonial evidence. Documentary evidence may be used to help verify,\n       support, or challenge testimonial evidence.\n\xe2\x80\xa2      7.68- Auditors should determine the overall sufficiency and appropriateness of evidence\n       to provide a reasonable basis for the findings and conclusions, within the context of the\n       audit objectives.\n\xe2\x80\xa2      7.70 b (3)- Evidence is not sufficient or not appropriate when . . . the evidence does not\n       provide an adequate basis for addressing the audit objectives or supporting the findings\n       and conclusions. Auditors should not use such evidence as support for findings and\n       conclusions.\n\nIn addition, based on the sole use of interviews to achieve the CFTC OIG\xe2\x80\x99s stated objective, the\nfailure to produce all interviews to the FEC OIG; the lack of workpaper support maintained in\nthe official audit file; and the inconsistencies of documented information continues to support the\nFEC OIG\xe2\x80\x99s statement that sufficient work was not performed and documented to support the\nfindings and conclusions. The substance of these instances was discussed with the CFTC OIG\nduring fieldwork and at the August 27, 2010 discussion meeting, and we were prepared to\ndiscuss them further during the exit conference, but as previously mentioned, the CFTC OIG was\nill prepared to discuss the report in any detail. No concerns relating to the above were brought to\nour attention during the exit conference.\n\nf.     Reporting is not compliant with GAGAS\n\nThe CFTC OIG failed to meet GAGAS reporting standards in the Use of Contractors audit\nreport. The report failed to disclose or clearly explain the relationship between the population\nand the items tested, and how the audit\xe2\x80\x99s methodology and the completed audit work supports\nthe audit objectives. According to GAS section 8.13, \xe2\x80\x9cIn reporting audit methodology, auditors\nshould explain how the completed audit work supports the audit objectives, including the\nevidence gathering and analysis techniques, in sufficient detail to allow knowledgeable users of\ntheir reports to understand how the auditors addressed the audit objectives.\xe2\x80\x9d\n\nFurther, the final report did not contain the views of the responsible officials, evaluation of\nmanagement comments, a copy of the responsible officials\xe2\x80\x99 written comments (or a summary),\nor any information on whether or not management comments were requested or provided, in\naccordance with GAS sections 8.33 and 8.43. The audit file indicates management did provide\nsome comment on the draft report.\n\nThe CFTC OIG provided a draft report to management but did not provide a final report. The\nOIG indicated to the peer review team a final report was not provided because there were no\nchanges between the draft and final report. However, the peer review team noted differences\nbetween the draft and final reports, such as the addition of two appendices, and the draft report\n\n\n\n                                                                                                    25\n\x0ccontained a \xe2\x80\x9cdraft\xe2\x80\x9d watermark throughout the written report provided to management for\ncomment.\n\nThe 2009 FMFIA A-123 Control audit report was actually a one paragraph memorandum. The\nmemorandum did not explain:\n\xe2\x80\xa2     the audit\xe2\x80\x99s objectives in a clear, specific manner;\n\xe2\x80\xa2     the reason(s) for undertaking the audit;\n\xe2\x80\xa2     the audit\xe2\x80\x99s scope, including:\n      o       the relationship between the population and the items tested;\n      o       the period covered by the audit;\n      o       the kinds and sources of evidence used; and\n      o       how the audit\xe2\x80\x99s methodology and completed audit work supports the audit\n              objectives.\n\nThe audit report (memorandum) did not include the views of the responsible officials even\nthough issues were identified by the OIG, and based on discussion during the peer review; the\nissues were communicated to management verbally. It appears oral comments were provided\nfrom management because the workpapers noted control deficiencies as \xe2\x80\x9ccured,\xe2\x80\x9d however, a\nsummary of the oral comments was not prepared and provided to the responsible officials for\nverification, and no management comments were included in the memorandum or the\nworkpapers.\n\nThe purpose of the final audit is for the OIG \xe2\x80\x9cto ensure that Agency managers continuously\nmonitor and improve effectiveness of internal control associated with their programs in\naccordance with applicable standards set by OMB.\xe2\x80\x9d The memorandum gave negative assurance\nbut did not detail the scope of work on internal control and any deficiencies in internal control\nthat were significant within the context of the audit objectives. The memorandum did not state\nthat the audit was planned and conducted as a limited review and in accordance with GAGAS,\ntherefore, there was no mention of GAGAS in the report (memorandum).\n\nThe quality control checklist used to assess and ensure reporting to GAGAS standards was not\nprepared for the Use of Contractors audit. The checklist prepared for the FMFIA audit failed to\nensure the memorandum issued to the agency Chairman complied with GAGAS reporting\nstandards.\n\nRecommendation \xe2\x80\x93 The CFTC OIG should:\n\n2.f.1   maintain a checklist devised from the peer review guidance for each audit file to ensure\n        all audit reports issued by the office contain adequate disclosures to support GAGAS\n        reporting standards.\n\nCFTC OIG Response\nWe disagree with portions of the findings but will implement the recommendation for all future\naudits. We would note once more that, with regard to the Use of Contractors report, noncompliance\nwith GAGAS stems from our consideration of that project as a non-GAGAS review. Prior to\nsubmitting Use of Contractors to the Acting Chairman, we provided a copy to the Executive Director\n\n\n                                                                                                   26\n\x0cand the Chief Information Officer (CIO). The Executive Director supervises both the contracting\nfunction and the IT department at the Agency.\n\nThe Chief Information Officer requested a minor editorial change to one sentence in the draft, and we\naltered one sentence in the draft from this \xe2\x80\x93\n\n       Furthermore, the CIO believed it possible that the help-desk may decrease in\n       size as the agency takes on younger employees who are more computer savvy\n       and less in need of frequent help-desk assistance.\n\n       to this \xe2\x80\x93\n\n       Furthermore, the CIO believed that as the agency takes on younger\n       employees who are more computer savvy and less in need of frequent help-\n       desk assistance the demand for help-desk services may decrease.\n\nThis process \xe2\x80\x93 i.e., the draft report submitted to the Executive Director and CIO, the CIO\xe2\x80\x99s requested\nchange, and the text of the new language we came up with to satisfy this minor concern \xe2\x80\x93 is\ndocumented in the working papers for Use of Contractors (which were supplied to FEC OIG for this\npeer review).\n\nGiven the minor nature of the requested change, we did not believe it necessary to ask the Executive\nDirector and the CIO to review and comment on the draft a second time. We surely did not believe\nthey would want to review the report a second time simply to see it without a \xe2\x80\x9cDRAFT\xe2\x80\x9d watermark.\nWhat mattered was the Executive Director and the CIO concurred with our findings and\nrecommendations. In the cover memo to the Acting Chairman accompanying the Use of Contractors\nreport, the Inspector General let the Acting Chairman know that the Executive Director and Chief\nInformation Officer had been consulted and both agreed with the recommendations. This cover\nmemo is also contained in the working papers. Acquiescence by the Executive Director and the CIO\nwas verbal and the cover memo documents the verbal consent.\n\nThe FMFIA 2009 report was not an audit. As previously stated, CFTC OIG\xe2\x80\x99s error was in describing\nthe report inconsistently, as a limited review but also with reference to GAGAS compliance. We take\nthis error seriously and take responsibility for creating any confusion.\n\nWe agree with the findings (as tempered by the discussion, above) and the recommendations.\n\nFEC OIG Analysis of Response\nAs stated previously, the FEC OIG conducted a work product analysis to determine the GAGAS\naudit population for testing. The basis of the FEC OIG\xe2\x80\x99s conclusion for the selected audits is\noutlined in the table on page five and includes six criteria. Contrary to CFTC OIG\xe2\x80\x99s response\nabove that the 2009 FMFIA assignment was not an audit, we determined the assignment was an\naudit based on a preponderance of the criteria detailed on page five of this report.\n\nThe CFTC OIG has agreed to implement the recommendation, and the FEC OIG believes that\nthe recommendation when implemented will address the weakness identified.\n\n\n                                                                                                    27\n\x0cIn addition to reviewing its system of quality control to ensure adherence with Government\nAuditing Standards, we applied certain limited procedures in accordance with guidance\nestablished by the CIGIE related to CFTC OIG\xe2\x80\x99s monitoring of audit engagements performed by\nindependent public accountants (IPA) under contract where the IPA served as the principal\nauditor. It should be noted that monitoring of engagements performed by IPAs is not an audit\nand therefore is not subject to the requirements of Government Auditing Standards. The purpose\nof our limited procedures was to determine whether CFTC OIG had controls to ensure IPAs\nperformed contracted work in accordance with professional standards. However, our objective\nwas not to express an opinion and accordingly, we do not express an opinion, on CFTC OIG\xe2\x80\x99s\nmonitoring of work performed by IPAs. We made certain comments related to CFTC OIG\xe2\x80\x99s\nmonitoring of engagements performed by IPAs that are included in a separate letter dated March\n31, 2011.\n\n\n\n\nLynne A. McFarland, Inspector General\nFederal Election Commission\n\n\nEnclosure\n\n\n\n\n                                                                                           28\n\x0c                   SCOPE AND METHODOLOGY (Enclosure 1)\n\nScope and Methodology\n\nWe tested compliance with the CFTC OIG\xe2\x80\x99s audit organization\xe2\x80\x99s system of quality\ncontrol to the extent we considered appropriate. These tests included a review of two of\nseven audit reports issued during the semiannual reporting periods ending March 31,\n2007 through March 31, 2010.\n\nIn addition, we reviewed the CFTC OIG\xe2\x80\x99s monitoring of engagements performed by\nIPAs where the IPA served as the principal auditor during the period May 21, 2009\nthrough December 31, 2009. During the period, CFTC OIG contracted for the audit of its\nagency\xe2\x80\x99s fiscal year 2009 financial statements.\n\nReviewed Engagements Performed by CFTC OIG\n\nReport No.            Report Date           Report Title\n08-01                 8/1/2008              Review of Agency Use of Contractors\n09-03                 10/30/2009            2009 FMFIA A-123 Review\n\nReviewed Monitoring Files of CFTC OIG for Contracted Engagements\n\nReport No.            Report Date           Report Title\n09-01                 11/15/2009            Report of the Independent Auditors U.S.\n                                            Commodity Futures Trading Commission\n                                            Financial Statements for Fiscal Year 2009\n\n\n\n\n                                                                                        29\n\x0c'